04-10-2020, 12:18 PM
This is a follow-up post aiming at addressing the use of Nginx as the WebServer in the DOH Server Setup, instead of the Apache WebServer used in the OP.
The Apache WebServer (httpd) is the grand-daddy of WebServers; I like it a lot and has my complete trust. BUT, there are just situations where you can still use it but behind the scene. This is the case for the setup I'm intending to implement on my newly deployed CentOS-8 on VirMach's Phoenix-based VPS-9. In this setup, I'm using Nginx as the public-facing WebServer where all HTTPS connections will terminate and serving as both a static web server and a reverse-proxy for a bunch of services running in the host, among them httpd, nodejs, etc... The intent of such setup is to leverage the power of Nginx as an Asynchronous web server.
Enter the question of how to rewrite the OP with this adjustment. The answer is that everything stays the same except for the third section which should be replaced by the following:
Nginx as the Reverse-Proxy in our DoH Server Stack
In this post I'll skip the actual TLS setup steps [2], and will just present the actual configuration of the server block of our generic 'doh.example.com':
Notes:
[1]-As the title suggests, I've exclusively reserved this thread for DoH. I'll post another tutorial about a setup where Nginx is proxying both DoT and DoH queries.
[2]-In the above mentioned upcoming titurial, I'll discuss the TLS setup in the Nginx context.
Stay tuned!
The Apache WebServer (httpd) is the grand-daddy of WebServers; I like it a lot and has my complete trust. BUT, there are just situations where you can still use it but behind the scene. This is the case for the setup I'm intending to implement on my newly deployed CentOS-8 on VirMach's Phoenix-based VPS-9. In this setup, I'm using Nginx as the public-facing WebServer where all HTTPS connections will terminate and serving as both a static web server and a reverse-proxy for a bunch of services running in the host, among them httpd, nodejs, etc... The intent of such setup is to leverage the power of Nginx as an Asynchronous web server.
Enter the question of how to rewrite the OP with this adjustment. The answer is that everything stays the same except for the third section which should be replaced by the following:
Nginx as the Reverse-Proxy in our DoH Server Stack
In this post I'll skip the actual TLS setup steps [2], and will just present the actual configuration of the server block of our generic 'doh.example.com':
Code: (Select All)
server {
listen 443 ssl http2;
server_name doh.example.com;
root /tmp/NOEXIST;
location / {
return 404;
}
location /dns-query {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://server 127.0.0.1:8053/dns-query ;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/letsencrypt/live/doh.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/doh.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Enable OCSP Stapling, point to certificate chain
ssl_trusted_certificate "/etc/letsencrypt/live/doh.example.com/fullchain.pem";
}Notes:
[1]-As the title suggests, I've exclusively reserved this thread for DoH. I'll post another tutorial about a setup where Nginx is proxying both DoT and DoH queries.
[2]-In the above mentioned upcoming titurial, I'll discuss the TLS setup in the Nginx context.
Stay tuned!